Thinkpad+Heads with QubesOS for Anti Evil Maid

I already have QubesOS and Coreboot with me cleaned on my thinkpad, however I’m looking into Heads for better AEM.

I am seeing in the purism documentation that heads on QubesOS requires a 2fa key, I’m also seeing documentation saying you can use TOTP with a phone app. I’m sure theres many people on this forum also using heads, so which one is it? Do I need to purchase a nitrokey to use heads on my thinkpad?

Sorry if this is not completely Qubes related, but I can’t find anything.

No. From what I’ve read about HEADS, the security key is just a really cool feature for verifying trusted boot and implementing 2FA at the BIOS level.

If you find an easy was to move from Coreboot to HEADS, let me know. It requires a flash with jumpers, I believe. A ch341a 1.6+ with voltage selector external programmer, for instance.

I think Purism uses PureOS, not Qubes. Nitrokey has the sort of setup you’re describing.

AEM requires intel txt, so if you have already removed/neutralized IME, you cant utilize Qubes command AEM in Dom0. But trusted boot is also a form of AEM except I’m not sure if I/O are disabled prior to successful security key login.

It depends on your thinkpad version if there is a Heads release available for it, see here for more information on heads prerequisites:

If your laptop is not listed, porting from Coreboot is definitely possible particularly if Coreboot already works on it but not trivial (e.g. just install x, y, z and you’re good - there may be things not working).

The Heads prerequisites also describe the TOTP question, yes you can do TOTP+HOTP if it’s supported in your laptop’s Heads release. You should not need to purchase a nitrokey (HOTP) for Heads but it would improve the boot user experience.

Purism uses Qubes or PureOS, I use a Purism Librem with pureboot (Heads fork) and Qubes, and use TOTP for it with a phone app in addition to the librem key. You just have to be quick to generate your TOTP key right before the laptop does so they match but it’s not difficult.

For more on Heads:

Is there a way to Write Protect firmware on the hardware level?

Does setting a BIOS password on stock firmware do the same thing as
flashrom --wp-enable on the software level?

Is there a way to Write Protect firmware on the hardware level?

It depends on the computer in question.
Some machines have certain firmware protected by hardware switch.